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CLAIMS 

1. In a method designed to prove to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity. 

by means of all or part of the following parameters or derivatives of 
these parameters: 

- a public modulus n constituted by the product of f prime factors p v 
p 2 , ... p f (f being equal to or greater than 2), 

- a public exponent v; 

- m distinct integer base numbers g 19 g 2 , ... g m (m being greater than 
or equal to 1), the base numbers g f being such that: 

the two equations (1) and (2): 

x 2 = gj mod n and x 2 = - g, mod n 
cannot be resolved in x in a ring of integers modulo n, 
and such that: 
the equation (3): 

x v = gj 2 mod n 
can be resolved in x in the ring of integers modulo n. 

the method according to the invention making it possible to produce the f 
prime factors p lf , p^, ... p r in such a way that the equations (1), (2) and (3) 
are satisfied, said method comprising the step of choosing firstly: 

• the m base numbers g v g v . . . g m , 

• the size of the modulus n, 

• the size of the f prime factors p v p v . . . p f . 

2. Method according to claim 1 such that, when the public 
exponent v has the form: 

v = 2 k 

where k is a security parameter greater than 1, the security parameter k is 
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also chosen as a prime number. 

3. Method according to one of the claims 1 or 2, such that the m base 
numbers g lt , g^, ... g m , are chosen at least partly among the first integers. 

4. Method according to one of the claims 2 or 3, such that the 
security parameter k is a small integer, especially smaller than 100. 

5. Method according to one of the claims 1 to 4, such that the size of 
the modulus n is greater than several hundreds of bits. 

6. Method according to one of the claims 1 to 5, such that the f prime 
factors p v p^, . . . p f have a size close to the size of the modulus n divided 
by the number f of factors.. 

7. Method according to one of the claims 1 to 6 such that, among the 
f prime factors p ls , , . . . Pf» 

- a number e of prime factors congruent to 1 modulo 4 is chosen, e 
possibly being zero (should e be zero, the modulus n will hereinafter be 
called a basic modulus, should e > 0, the modulus n will hereinafter be 
called a combined modulus), 

- the f-e other prime factors are chosen to be congruent to 3 modulo 
4, f-e being at least equal to 2. 

8. A method according to claim 7 such that, to produce the f-e 
prime factors p lf , p^, . . . p f ^ congruent to 3 modulo 4, 
the following steps are implemented: 

- the first prime factor p x congruent to 3 modulo 4 is chosen and then, 

- the second prime factor p 2 is chosen such that p 2 is complementary 
to pj with respect to the base number g v 

- the factor p M is chosen in carrying out the following procedure in, 
distinguishing two cases: 

(1) the case where i> m 

- the factor p I+1 congruent to 3 modulo 4 is chosen. 

(2) Case where i<m 
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- the Profile (Profile,^)) of g, with respect to the i first prime factors 
Pi is computed: 

- if the Profile^) is flat, the factor p l+1 is chosen such that p i+1 is 
complementary to p t with respect to g l9 

- else, among the i-1 base numbers g 19 g 2 , ... g^ and all their 
multiplicative combinations, the number, hereinafter called g, is chosen 
such that ProfiIe,(g) = Profile,^), and then p l+1 is chosen such that 
Profile l+1 ( & ) * Profile l+1 (g). 

(the terms "complementary", "profile", "flat profile" having the 
meanings defined in the description). 

9. A method according to claim 8 such that, to choose the last 
prime factor p f-e the following procedure is used in distinguishing three 
cases: 

(1) Case where f-e-1 > m 

• Pf-e * s chosen congruent to 3 modulo 4. 

(2) Case where f-e-1 = m 

• Profile f ^. 1 (g m ) is computed with respect to the f-e-1 first prime 
factors from, p t to p M 

• • if Proflle^Cgn) is flat, p M is chosen such that it is 
complementary to p x with respect to g m , 

• • else: 

• • • among the m-1 base numbers from g t to g m .j and all 
their multiplicative combinations, the number hereinafter called 
g is chosen such that Profile,(g) = Profile^,), 

• • • then p f-e is chosen such that Profile f ^(g) * Profile,., 
c(g m )- 

(3) Case where f-e-1 < m 

• p f-€ is chosen such that the following two conditions are met: 
(3.1) First condition 
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• Profile f ^. 1 (g f ^. 1 ) is computed with respect to the f-e-1 first 
prime factors from p x to p f-e . 1? 

• • If Profile f ^_ 1 (g f ^. 1 ) is flat, p f ^ is chosen so that it meets 
the first condition of being complementary to p t with respect to 

2f-e-l* 

• • Else, 

• • • among the f-e-1 base numbers from g x to g^ 
and all their multiplicative combinations, the number, 
hereinafter called g is chosen such that Profile^) = 
Profile^g^), 

• • • then p f-c is chosen so that it meets the first 
condition of being such that Profile^ (g) * Profile^ (g m ), 

(3.2) Second condition 

• among all the last base numbers from g f . e to g m , those numbers 
whose Profile Profile f . e . 1 (g l ) is flat are chosen and then 

• Pr-e is chosen so that it meets the second condition of being 
complementary to p x with respect to each of the base numbers thus 
selected. 

10, Method according to the claims 8 or 9 such that, to produce 
the e prime factors congruent to 1 modulo 4, each prime factor candidate p 
is evaluated, from p f-e to p n in being subjected to the following two 
successive tests: 
(1) First test 

- the Legendre symbol is computed for each base number g, 
from g t to g m , with respect to the candidate prime factor p, 

• if the Legendre symbol is equal to -1, the candidate p is 

rejected, 

• if the Legendre symbol is equal to +1, the evaluation of 
the candidate p is continued in passing to the following base 
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number and then, when the last base number has been taken 
into account, there is a passage to the second test. 
(2) Second test 

- an integer number t is computed such that p-1 is divisible by 2\ 
but not by 2 t+l , then 

- an integer s is computed such that s = (p-l+l 1 )/!" 1 . 

- the key (s, p> is applied to each public value G, to obtain a 
result r 

r= G, s modp 

• if r is equal to g { or - g, the second test is continued in 
passing to the following public value G i+1 . 

• if r is different from gj or - g i9 a factor u is computed in 
applying the following algorithm: 

• • the algorithm consists of the repetition of the following 
sequence specified for an index ii ranging from 1 to t-2: 

• • the algorithm implements two variables: w initialized by 
r and jj = 2" assuming values ranging from 2 to 2 t 2 , as well a 
number b obtained by application of the key <(p-l)/2 c , p> to a 
non-quadratic residue of CG(p), then the following steps 1 and 
2 are iterated: 

• • • Step 1 : wVG; (mod p) is computed, 

• • • Step 2: the result is raised to the power of 2 l4M , 

••• • If +1 is obtained, the second test is 
continued in passing to the following public value 

• • • • If -1 is obtained, jj = 2 U is computed and 
then w is replaced by w.b" (mod p), then the 
algorithm is continued for the following value having 
an index ii. 
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• • at the end of the algorithm, the value in the variable jj is 
used to compute an integer u by the relation jj = 2 t u and 
then the expression t-u is computed. Two cases arise: 

• • • if t-u < k, the candidate p is rejected 

• • • if t-u > k, the evaluation of the candidate p 
is continued in continuing the second test and in passing 
to the following public value G i+lt the candidate p is 
accepted as a prime factor congruent to 1 modulo 4 if, at 
the end of the second test, for all the m public values G i9 it 
has not been rejected. 

11. Method applying the method according to any of the claims 
1 to 10, making it possible to produce f prime factors p lj9 p^, . . . p f , this 
method being designed to prove the following to a controller entity, 

- the authenticity of an entity and/or 

- the integrity of a message M associated with this entity, 

by means of all or part of the following parameters or derivatives of these 
parameters: 

- m pairs of private values Q 19 Q 29 ... Q m and public values G 2 , ... 
G m (m being greater than or equal to 1), 

- the public modulus n constituted by the product of said prime 
factors f pj, p 2 , ... p f (f being greater than or equal to 2), 

- the public exponent v; 

said modulus, said exponent and said values being linked by relations of 
the following type: 

Gj . Q, v = 1 . mod n or G| = Q, v mod n . 
said exponent v being such that 

v = 2 k 

where k is a security parameter greater than 1. 

said public value G, being the square g, 2 of the base number g, smaller than 
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the f prime factors p v p 2 , ... p f , the base number g, being such that: 
the two equations: 

x 2 = g| mod n and x 2 = - g| mod n 

cannot be resolved in x in the ring of integers modulo n 
and such that: 
the equation: 

x v = gj 2 mod n 

can be resolved in x in the ring of the integers modulo n. 
said method implements, in the following steps, an entity called a witness 
having f prime factors p, and/or parameters of the Chinese remainders of the 
prime factors and/or of the public modulus n and/or the m private values Q 8 
and/or f.m components Q u (Q u = Q. mod pj) of the private values Qj and 
of the public exponent v; 

- the witness computes commitments R in the ring of integers modulo 
n; each commitment being computed: 

• either by performing operations of the type: 

R = r v mod n 
where r is a random factor such that 0 < r < n, 

• or 

• • by performing operations of the type: 

Ri^r^modpj 

where r,is a random value associated with the prime number p { such that 0 
< r i< Pi> each r, belonging to a collection of random factors {r x , r 2 , ... r f }, 

• • then by applying the Chinese remainder method; 

- the witness receives one or more challenges d, each challenge d, 
comprising m integers d, hereinafter called elementary challenges; the 
witness, on the basis of each challenge d, computing a response D, 

• either by performing operations of the type: 

D^r.Q, d \Q 2 d2 ....Q m dm modn 
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• or 

• • by performing operations of the type: 

D l ^r l .Q M dl .Q u d2 ....Q lfm dm modp i 

• • and then by applying the Chinese remainder method. 

said method being such that there are as many responses D as there are 
challenges d as there are commitments R, each group of numbers R, d, D 
forming a triplet referenced {R, d, D}. 

12. A method according to claim 11 such that to implement the 
pairs of private values Q 19 Q 2 , ... Q m and public values G 19 G 2 , ... G m as 
just described, the method uses the prime factors p l9 p 2 , ... p f and/or the 
parameters of the Chinese remainders, the base numbers g 19 g 29 ... g m and/or 
the public values G 19 G 29 ... G m to compute: 

- either the private values Q 19 Q 2 , ... Q m by extracting a k-th square 
root modulo n of G,, or by taking the inverse of a k-th square root modulo 
n of Gj, 

- or the fan private components Q Uj of the private values Q i9 Q 2 , ... 
Q m such that Q u = Q, (mod pj). 

13. A method according to claim 12 such that, to compute the 
f.m private components Q^jof the private values Q l9 Q 2 , ... Q m : 

- the key <s, Pj ) is applied to compute z such that: 

z = G, s (mod pj) 

- and the values t and u are used. 

- computed as indicated here above when pj is congruent to 1 
modulo 4 and 

• taken to be respectively equal to 1 (t=l) and 0 (u=0) where p j( 
is congruent to 3 modulo 4. 

• • if u is zero, we consider all the numbers zz such that: 

• • • zz is equal to z or such that 

• • • zz is equal to a product (mod pj) of z by each of 
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2 iU 2"-th primitive roots of unity, ii ranging from 1 to min(k,t). 

• • If u is positive, we consider all the numbers zz such that zz is 
equal to the product (mod pj) of za by each of the 2 k 2 k -th roots of 
unity, za designating the value of the variable w at the end of the 
algorithm implemented in claim 10, 

- at least one value of the component Q u is deduced therefrom, 
it is equal to zz when the equation G, s Q, v mod n is used or else it is 
equal to the inverse of zz modulo pj of zz when the equation G, . Q, v 
= 1 . mod n is used. 



